Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in the Print Spooler component. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. This service spools print (Print Spooler) Read more…
Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools. Impacket can work with plain, NTLM and Kerberos authentications, fully supporting passing-the-hash (PTH) attacks and more. https://github.com/SecureAuthCorp/impacket Method Port Used psexec.py tcp/445 dcomexec.py tcp/135, tcp/445, Read more…
BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths. It does so by using graph theory to find the shortest path for an attacker to traverse to elevate their privileges within the domain. How Does BloodHound Work? BloodHound Read more…
This time we will set a SMB server to run script from using impaket-smbserver https://github.com/SecureAuthCorp/impacket Download 1. Download the scripts git clone https://github.com/SecureAuthCorp/impacket.git 2. locate the smbserver script find . -iname *smbserver* 2> /dev/null Note: I already have it installed in my Kali machine How to 1. In your Linux Read more…
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. https://docs.microsoft.com/en-us/windows/win32/winrm/portal WinRM is a command-line tool that is used for the following tasks: Remotely communicate and interface with hosts Read more…
The ASREPRoast attack looks for users with don’t require Kerberos pre-authentication attribute (DONT_REQ_PREAUTH). That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. it is not recommended to enable “Do not require Kerberos preauthentication”, because without Read more…
This publication is intended to guide you through to create a custom wordlist using hashcat. 1. First create or have already a word list. (I created a 4 words list) cat mylist.txt 2. if you want to add dates next to the work you cant create a wordlist for i Read more…
Sometimes in windows, we discover services that run with SYSTEM level privileges but doesn’t have proper permissions set by an administrator. These services mostly exist in third party software and these services are the best victims for privilege escalation. In this example we will escalate from user1 to administrator, using Read more…
Sometimes a normal user needs the ability to do some operations on a service, such as starting or stopping, multiple ways exists to grant these permissions. Windows has no GUI or (easy to use) command line tool on board to set these access rights. I will explain 1 way to Read more…
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. This writing is about how to run it, and, complete Post-Exploitation activities How to 1. Download the script from GitHub (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git cd privilege-escalation-awesome-scripts-suite 2. Navigate through the directories to find the binary Read more…
Having credentials for Umbraco CMS allows us to run a reverse shell. This time we will run the exploit (https://www.exploit-db.com/exploits/49488) How to 1. In searchsploit you can search for Umbraco exploits searchsploit umbraco Note: This indicates it works on 7.12.4 version. Since we have already admin credentials for this app Read more…
Having already set up Active directory as per (https://vk9-sec.com/active-directory-dns-lab/). We can set up the SPN service for testing purposes. To use Kerberos authentication requires both the following conditions to be true: The client and server computers must be part of the same Windows domain, or in trusted domains. A Service Read more…
Kerberos Workflow using Messages In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all requests for tickets to Kerberos. For Kerberos tickets, AD uses the KRBTGT account in the AD domain. Service Principal Names A service principal name (SPN) is a unique Read more…
This time we will enumerate Apache Tomcat/7.0.88, brute force the login and upload a webshell. The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic TTP auth, the most common credentials are: admin:admin Read more…
LDAP queries can be used to search for different objects (computers, users, groups) in the Active Directory LDAP database according to certain criteria. This time, we will use LDAP to enumerate Active Directory users. Search LDAP using ldapsearch ldapsearch opens a connection to an LDAP server, binds, and performs a Read more…
Group Policy Preferences (GPP) was introduced in Windows Server 2008, and among many other features, allowed administrators to modify users and groups across their network. Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating Read more…
mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, Read more…
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7. https://github.com/411Hall/JAWS How to 1. Download the script git clone https://github.com/411Hall/JAWS.git cd JAWS ls 2. Read more…
A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders. VHD files may be used to install Read more…
Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need Read more…
Multiple vendor applications that utilize FCKeditor could allow a remote attacker to traverse directories on the system and upload arbitrary files. A remote attacker could exploit this vulnerability using directory traversal sequences in the CurrentFolder parameter to several connector modules to view arbitrary files or upload malicous executable files on Read more…
Drupal has an insecure use of unserialize(). The exploitation of the vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution. (https://www.ambionics.io/blog/drupal-services-module-rce) We will use Exploit db code to exploit this vulnerability. (https://www.exploit-db.com/exploits/41564) Exploit 1. Determine the version of drupal. For this we can access CHANGELOG.txt from the Read more…
A plugin-based scanner that aids security researchers in identifying issues with several CMS. (https://github.com/droope/droopescan) Supported CMS are: SilverStripe WordPress Drupal Partial functionality for: Joomla (version enumeration and interesting URLs only) Moodle (plugin & theme very limited, watch out) How to use 1. Download the application git clone https://github.com/droope/droopescan.git cd droopescan Read more…
Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper sanitization of handles in memory by the Secondary Logon Service. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code as an administrator and take control Read more…
This tutorial has been written to find out someone’s public IP using web images links. Note that the result depends on whether the person is using any VPN or spoofing their IP. How to 1. Upload an image to any image hosting site. In this case I will be using Read more…
WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported. (https://github.com/bitsadmin/wesng) How to use 1. Read more…
Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes. HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in Read more…
Watson is a C# implementation of a tool to quickly identify missing software patches for local privesc vulnerabilities. We’ll download the zip from the GitHub page and double click Watson.sln in our Windows machine to open it in Visual Studio. (https://github.com/rasta-mouse/Watson) For information about installing Visual Studio, visit Microsoft official Read more…
Sherlock is a Powershell script used to privilege escalation, quickly finding vulnerabilities in the system. (https://github.com/rasta-mouse/Sherlock) Currently looks for: MS10-015 : User Mode to Ring (KiTrap0D) MS10-092 : Task Scheduler MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow MS13-081 : TrackPopupMenuEx Win32k NULL Page MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference Read more…
The Microsoft Windows Ancillary Function Driver (afd.sys) could allow a local attacker to gain elevated privileges on the system, caused by improper validation of input passed from user mode to the kernel. By executing a malicious application on the vulnerable system, a local attacker with valid login credentials could exploit Read more…
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not Read more…
Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service. By sending specially-crafted RPC requests to a vulnerable system, a remote attacker could exploit this vulnerability to execute arbitrary code and gain complete Read more…
WordPress Plugin User Role Editor is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions by gaining administrator access. WordPress Plugin User Role Editor version 4.24 is vulnerable; prior versions may also be affected. The WordPress User Role Editor plugin prior to Read more…
Plainview Activity Monitor plugin for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability using shell metacharacters in the ip parameter to inject and execute arbitrary OS commands on the system. The Plainview Activity Read more…
Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations. Once hackers get a low privileged shell, even a restricted one, Read more…
Apache James is a mail and news server and software framework written in Java. A bug in version 2.3.2 enables an attacker to execute arbitrary commands on the machine running the server. The vulnerability arises from an insecure default configuration and a lack of input validation in the server’s user Read more…
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. LXD is Ubuntu’s container manager utilizing Linux containers. It could be considered to act in the same sphere as Docker, The lxd group should be considered harmful in Read more…
Shellshock is effectively a Remote Command Execution vulnerability in BASH. The vulnerability relies in the fact that BASH incorrectly executes trailing commands when it imports a function definition stored into an environment variable. A lot of programs like SSH, telnet, CGI scripts allow bash to run in the background allowing Read more…
fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords. Installation sudo apt install fcrackzip Before using fcrackzip we need a password protected zip file. zip –password <password><filename.zip> <data> zip –password vk9security new_file.zip data.txt How to use 1. Show help Read more…
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount Read more…
This lab is intended to demonstrate how to exploit BoF in Linux. The vulnerable application is Panel which can be downloaded from a VulnHub machine (https://www.vulnhub.com/entry/pinkys-palace-v2,229/). The executable can be found at (https://github.com/vry4n/BoF-Panel-Linux) This application is a custom app that runs on port 31337 & it is vulnerable to Buffer Read more…
Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR How to 1. Having an RSA private key already cat id_rsa 2. locate the ssh2john script using find find / Read more…
Port Knocking is a method used to secure your port access from unauthorized users. Port Knocking works by Opening ports on a firewall by generating a connection attempt on a set of defined closed/open ports. Once a correct sequence of connection attempts is received, the firewall will open the port Read more…
WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions. How to use 1. Display Read more…
chkrootkit is a tool to locally check for signs of a rootkit (http://www.chkrootkit.org/). It contains: chkrootkit: a shell script that checks system binaries for rootkit modification. ifpromisc.c: checks if the network interface is in promiscuous mode. chklastlog.c: checks for lastlog deletions. chkwtmp.c: checks for wtmp deletions. check_wtmpx.c: checks for wtmpx Read more…
The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update files on a remote computer as though they were on the user’s own computer. The NFS protocol is one of several distributed file system standards for network-attached storage (NAS). NFS Read more…
FreeBSD could allow a local attacker to gain elevated privileges on the system, caused by insufficient permission checks within the virtual memory system. An attacker could exploit this vulnerability using specific memory mapping and tracing operations to modify portions of the traced process’s address space. The vm_map_lookup function in sys/vm/vm_map.c Read more…
This time we will transfer a file using netcat, we will see examples from machine vk9-sec to lab-kali Bind connection 1. CLIENT: First, we will create a random file echo “Vry4n has been here.” > sample.txt cat sample.txt 2. SERVER: we will open a port in the remote machine waiting Read more…
PhpTax is free software to do your U.S. income taxes. Tested under Unix environment. The program generates .pdfs that can be printed and sent to the IRS. http://sourceforge.net/projects/phptax/ An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. User tainted data is used Read more…
PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). This has been taken from (https://www.exploit-db.com/exploits/31173) Exploiting Directory Traversal 1. Visiting the application at (http://192.168.0.18/pChart2.1.3/examples/index.php), we get to the examples folder. 2. This tool Read more…
HT is a file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats. Exploit 1. Check what sudo permission the current user has, desired “NOPASSWD” Read more…
Lotus CMS is a content management system built using PHP as a programming language, created by a company called Vipana LLC. This CMS is no longer being developed or maintained by its team, so download the files to set up your own Lotus CMS demo might pose some security issues. Read more…
The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. Summary of every phase in Incident response life cycle 1. Preparation This phase will be the work horse of your incident response planning, and in Read more…
Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, and full recovery, and post-incident analysis and learning. This post is a shorter summary of NIST official documentation. Read more…
Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business. Mainly Splunk does these things: Ingests Data Parses, indexes and stores data Runs searches on index data For more info visit: Read more…
Robtex is a service which gathers public information about IP addresses, domain names, host names, Autonomous systems, and more. How to use 1. Access https://www.robtex.com/dns-lookup and search for the domain 2. In the results we can find Analysis DNS servers Mail servers IP address Quick Info FQDN DNS servers Records Read more…
Find out the infrastructure and technologies used by any site using results from Netcraft The information that netcraft provides includes: Background — This includes basic domain information. Network — This includes information from IP Address to Domain names to nameservers. SSL/TLS — This gives the ssl/tls status of the target Read more…
Information gathering is the first step of Ethical Hacking, where the penetration tester or even hackers gather information on their target victims. To increase your chances of a “successful” hacking, you will need to do a good job and spend time on this stage. There is a couple of information Read more…
NTDS.DIT These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users. The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of information. This file can Read more…
Cached domain logon information Windows caches previous users’ logon information locally so that they can log on if a logon server is unavailable during later logon attempts. If a domain controller is unavailable and a user’s logon information is cached, the user will be prompted with a dialog that says: Read more…
In Windows 10 we can also gather credentials. This guide is focused on techniques that work in Windows 10. The attacker need at least an account or shell in the server That user need administrative privileges Having a shell in Meterpreter as an example we can migrate to a process Read more…
This time our target is Windows 7, having a reverse connection and appropriate privileges we can gather hashes, this is part of post exploitation activity. Metasploit Hashdump With hashdump meterpreter command we can extract hashes, we need to first migrate to a system process and then run the command 1. Read more…
This is to demonstrate different techniques to extract Windows users’ password. We need admin privileges to gather this information. Metasploit Hashdump Having a meterpreter session we can execute the command “hashdump” to get the values of all saved passwords of windows users sysinfo hashdump Load Mimikatz (kiwi) Meterpreter load kiwi Read more…
Most of the theory here has been taken from SANS documentation (https://www.sans.org/reading-room/whitepapers/testing/paper/39170) . This is intended to provide a summary about NT hashes and Pass the hash. LM Password Hashes The LAN Manager hash was one of the first password hashing algorithms to be used by Windows operating systems, and Read more…
This time we’ll exploit Minishare 1.4.1. This is a web application that runs on port 80 as HTTP, you can share files and the users can download them from the site. I uploaded the application to GitHub (https://github.com/vry4n/BoF-MiniShare-1.4.1) Lab details Windows XP x86 (192.168.0.5) Immunity debugger MiniShare 1.4.1 Kali (192.168.0.20) Read more…
This lab is intended to demonstrate how to exploit BoF in Windows. The vulnerable application is FreeFloat which can be downloaded from (https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip). The Freefloat FTP Server has many vulnerable parameters, which can be useful to practice on, and we will choose one of them here to do a full Read more…
Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Installation 1. Run the commands below and wait for installation to complete sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh –force –silent 2. Upon completion. You can run the application with the command Read more…
This time we will configure basic AD and DNS functionality. The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual Read more…
curl, short for “Client for URLs”, is a command line tool for transferring data using various protocols. This tool has applications in many household products such as tablets, printers, cars, routers, etc. There is a vast amount of use-cases for curl, such as: FTP upload Proxy support SSL connections HTTP Read more…
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes Read more…
Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) Read more…
Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. Documentation GitHub: https://github.com/BC-SECURITY/Empire Client: https://github.com/BC-SECURITY/Starkiller Installation Server 1. Download Read more…
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that Read more…
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It’s the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API’s, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim Read more…
It allows you to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.). It is a Python tool that can analyze the SSL configuration of a server by connecting to it. Read more…
A self-signed certificate is a certificate that is signed by the person creating it rather than a trusted certificate authority. Self-signed certificates can enable the same level of encryption as a $1700 certificate signed by a trusted authority. (Self-signed certificates or certificates issued by a private CAs are not appropriate Read more…
Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB. An attacker can capture usernames and passwords on a local network by Read more…
Server Message Block (SMB) is a networking file share protocol included in Windows workstation and Windows server that provides the ability to read and write files and perform other service requests to network devices on a share. Windows supports file and printer sharing traffic by using the Server Message Block Read more…
SMTP is an application layer protocol. The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is always on listening mode. As soon as it listens for a TCP connection from any client, Read more…
Vulnerabilities in SMB Shares are Medium risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely. Things that might be Read more…
FTP is a method to access and share files on the internet. The protocol is a way to communicate between computers on a TCP/IP network, FTP is a TCP based service exclusively and it is a client-server protocol where a client will communicate with a server. “File Transfer Protocol,” can Read more…
This document is intended to help understand what happens by PHP back-end processing of SQL queries, how to test SQL injections and how to secure code. Our goals here are the following Building MySQL database Create a PHP scripts to access & query the database HTML code as front-end Test Read more…
Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server Read more…
bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows. https://github.com/jehy-security/bwapp https://sourceforge.net/projects/bwapp/ Installation 1. Download the Read more…
Server-side redirection vulnerabilities arise when an application takes user controllable input and incorporates it into a URL that it retrieves using a backend HTTP request. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a Read more…
John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak passwords. It is one of the most popular password testing and breaking programs as it combines Read more…
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker Read more…
Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application. The attack is possible when a web application sends unsafe user data to the system shell function within the running script. This user Read more…
XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data XPath is a standard language. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate Read more…
Mutillidae is a vulnerable framework where you can practice OWASP top 10, https://owasp.org/www-project-top-ten/ Download https://sourceforge.net/projects/mutillidae/ sudo git clone https://github.com/webpwnized/mutillidae.git 1. Install the required repositories (in this case I’m using php 7.3) sudo apt-get install php7.3-curl php7.3-mbstring php7.3-xml Extra Show php version php –version 2. Extract the Mutillidae content in /var/www/html Read more…
BeEF utilizes YAML files in order to configure the core functionality, as well as the extensions. Most of the core BeEF configurations are in the main configuration file: config.yaml, found in the BeEF directory. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses Read more…
Shodan’s a search engine which helps find systems on the internet. It’s a great resource to provide passive reconnaissance. Some have described Shodan as a search engine for hackers, and have even called it “the world’s most dangerous search engine”. Devices that Shodan can find: Servers Routers Switches Printers on Read more…
Anonsurf uses TOR iptables to anonymize the whole system. Anonsurf gives users the capability of starting or stopping the I2P project. https://github.com/Und3rf10w/kali-anonsurf Installation 1. Download the file from github git clone https://github.com/Und3rf10w/kali-anonsurf.git 2. Run installer located in the download folder kali-anonsurf sudo bash installer.sh 3. Run the application after successful Read more…
The concept of permissions and ownership is crucial in Linux. On a Linux system, each file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else. owner – The Owner permissions apply only the owner of the Read more…
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely Read more…
This has been writen to explain the steps to set a basic insecure SMTP lab. We are using hMailServer to act as a mail server & Thunderbird as mail client. https://www.hmailserver.com/ https://www.thunderbird.net/ Mail Server (hMailServer) 1. Start the wizzard 2. Next, Accept the license 3. Select the install folder, next Read more…
This Guide provides a high view of Windows local management of groups and users Users in windows a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, Read more…
This is a guide written to help administering Users and Groups properly in Linux. User Management useradd useradd is a low level utility for adding a new user or update default new user information When we run ‘useradd‘ command in Linux terminal, it performs following major things: It edits /etc/passwd, Read more…
The Linux terminal has a number of useful commands that can display running processes, kill them, and change their priority level. Parent and Child Processes Each unix process has two ID numbers assigned to it: The Process ID (pid) and the Parent process ID (ppid). Each user process in the Read more…
A picture metadata can change, example dates, if you download a picture directly from a browser. I recommend downloading the content using wget. Download from browser 1. In this case we can see a recent date (File modification date/time) ls -l needle.jpg date exiftool needle.jpg Download using wget 1. In Read more…